iPhone date glitch exposes photo albums

If your iOS device's clock is rolled back, your entire photo album is visible even if the device is locked with a passcode.

Technology consultant Ade Barkah has discovered a security/privacy vulnerability in Apple's iPhone that leaks iOS 5 album photographs under certain conditions.

Barkah explains:

follow Ryan Naraine on twitter

This vulnerability is simple to test.  Just set your iPhone’s clock to a time in the past (say, in 2010).  Then access the Camera while your phone is still locked.  Lo-and-behold, you’ll be able to see all your “protected” images.

As part of the iOS 5 upgrade, users get immediate access to the camera even if the device is locked with a passcode.  This feature blocks access to the entire photo album and only allows the user to see photos taken from the current (locked) session.

However, Barkah found that if he rolled back the clock settings on an iOS device, the entire photo album became visible.

The point to all this is that Apple should not rely on a simple timestamp to restrict image access.  Changing the iPhone’s clock — forwards or backwards — should notaffect its security.  We can’t guarantee the clock will always monotonically more forward, and when it doesn’t, the system should fail-secure.

Apple does not respond to media queries about security problems in its products.